A SECURED GRAPHICAL AUTHENTICATION FOR WEB BASED APPLICATIONS
ABSTRACT
Authentication is unavoidable in any environment where sensitive information is utilized. In accessing resources via the Internet, the most common means of identification required for authentication is the user’s identity and a secret passphrase known as a password. Studies have shown that the birth of graphical password which uses images/pictures/objects was out of the trivial password generated by users because of the inability to remember complex passwords when using text-based password. Graphical password is stronger and increases memorability. However, graphical-based password is faced with several challenges including, a high storage capacity for all the images/pictures/objects, no assistance for users in browsing through an array of images/pictures/objects and vulnerability to shoulder surfing attacks.
This work develops a graphical authentication for web based application that tackles the aforementioned issues by using cued recall technique which utilizes a grid system populated with pair of values and set of colored rows and columns. A shoulder surfing resistant interface was designed to assist users in generating a robust password.To improve the security of the system, One Time Password (OTP) was used. The technologies and tools used were Apache web server, MySQL database management system, PHP Hypertext Pre-processor (PHP) all running on the WAMP platform, Hypertext Markup Language (HTML), cascading style sheet (CSS) and JavaScript.
The graphical authentication scheme was evaluated using Magic Triangle Evaluation model. The results showed that the password space and entropy were2.61*104and 14.39 respectively. The scheme showed a level of resistance of about 85% towards shoulder surfing attacks.
The study concluded that the graphical authentication scheme has a high level of resistance against shoulder surfing attacks but a low password space and entropy making it vulnerable to brute force attacks. It is therefore recommended to be used in an environment where shoulder surfing is inevitable and additional security mechanism should be added to reduce its vulnerability to brute force attacks. It can also be used as a Completely Automated Turing Test to tell Computers and Humans Apart (CAPTCHA).
Contents